info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New update to the CVS ACL patch to support user groups


From: Noel L Yap
Subject: RE: New update to the CVS ACL patch to support user groups
Date: Wed, 25 Jul 2001 16:37:52 -0400

>If I could take on SSH admin myself (without
>root) and could handle repostory write access like pserver readers/writers
>(without having to deal with unix groups), then I would be willing to consider
>the startup costs of setting up real accounts for windows developers on the
>UNIX side.

It sounds like you have the requirement that multiple users share one CVS
account.  By definition, such a system will not be as secure as one where
individuals have their own accounts.

I think this is doable.  You can install SSH without being root (although you
may open yourself up to certain types of attacks since you won't be able to use
a priveleged port).

Then setup the users to SSH into the account you want them to use (each should
have their own keypair) and configure it so that CVS is the only thing they can
do.

You then manage permissions the way you would normally do under a non-pserver
environment.  Group and ACL maintainance shouldn't be too bothersome since you
shouldn't have many users at this point (the CVS user account "replaces" Unix
groups for all intents and purposes).

Depending on how worried you are about hacks, you may want to do some auditing
as Greg has suggested.

>I currently do not have any problems. We are on a private network behind a
>firewall. If pserver was riped out of CVS, what functionality/features would go
>with it? Since .rhost files are commonly banded at companies from what I have
>seen, what is left if pserver is removed from CVS C/S protocol?

SSH :-)

>I am begining to think that my setup with non-root pserver is the simplest for
>my environment.

I think the arguments start because some consider security to be an issue.  If
it's not that large an issue (eg you're not worried about hackers), simplicity
may be a bigger requirement.  OTOH, the more you do something, the simpler it
seems.

>Thanks, this is good to know and I will try it out. But I still think
>(non-root) pserver has its place and uses, IMHO, pserver is better than sgid
>bits on cvs binaries or trying to keep up with set bits on directories and ACL
>access controls, or patching CVS to do these things.

I like the way CVS delegates authentication and authorisation to the tools that
are really responsible for those tasks.  It keeps all the tools usable and
simple (each has a defined interface that the others can easily use).

Noel



This communication is for informational purposes only.  It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan Chase & Co., its
subsidiaries and affiliates.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]